ixs' Vodkamelone

I'm trying to add TPM support to the initrd images on Fedora 20. The idea is that the cryptokeys for the harddrive encryption are only handed out to cryptsetup as long as the whole bootchain is unmodified.
The tpm-luks package seems to be able to do the trick but needs to be adapted to the current boot procedure where systemd is part of the initial ramdisk image.

In order to actually observe what's going on inside the initramfs dracut already offers a lot of functionality which can be activated with the following dracut debugging command line arguments.

• rd.debug - print more debugging information.
• rd.shell - In case of erros, offer a shell to the user.
• rd.break - Break out into a shell at pre-defined points in the bootprocess and continue after exiting the shell.

Especially the shell is a good helper but I was looking for something which allows me to poke around while systemd is presenting the user with a password prompt. For this I wanted a shell into the initramfs which allows for out-of-band access. A simple sh started in the background with input and output redirected to /dev/ttyS1 should do the trick I decided.

A nice feature of dracut is that it allows to include arbitrary files into the initramfs through thee dracut injection feature. This way a new systemd service file can be added which will take care of starting the serial shell:

[Unit]
Description=Debugshell on ttyS1

[Service]
ExecStart=/bin/sh -c '/bin/sh < /dev/ttyS1 > /dev/ttyS1 2>&1'

To make it all work, a dracut directory tree needs to be created and the appropriate symlinks be dropped to make systemd fire up the shell:

mkdir -p rd.live.overlay/etc/systemd/system/cryptsetup.target.wants
cat << EOF > rd.live.overlay/etc/systemd/system/debugshell.service
[Unit]
Description=Debugshell on ttyS1

[Service]
ExecStart=/bin/sh -c '/bin/sh < /dev/ttyS1 > /dev/ttyS1 2>&1'
EOF
ln -s ../debugshell.service rd.live.overlay/etc/systemd/system/cryptsetup.target.wants/debugshell.service
dracut -f --include rd.live.overlay / /boot/initramfs-$(uname -r).img